Re: MyDoom Outbound Impossible Detects

[Chris Keladis <chris () cmc optus net au>]

At 05:52 AM 2/7/2004, you wrote:

Hi John,

>         I'm about to throw up my arms in disgust. I'm seeing outbound 
> SMTP traffic from one of my mail filter machines which looks like MyDoom. 
> However I can't account for the combination of SMTP to/from addresses and 
> the actual origin and destination of the packets that snort is flagging.
> The SMTP From: address is an external address. The destination SMTP 
> address is an (invalid) internal address user () andrew com. The mail filter 
> has no way of knowing that it's invalid, however.
> The source IP address of the packets is my mail filter (Surfcontrol E-Mail 
> Filter). Note that I'm not virus filtering outbound traffic. That's 
> something I intend to remedy as soon as I have budget for doing so. The 
> destination IP address of the packets is one of a number of external 
> Internet email servers.

You could be seeing bounces (aka NDRs) when the worm tries to mail a 
non-existent account, and your mail server sends a bounce to the sender, 
with a copy of the original email.

Check your mail logs for a corresponding inbound entry, then an entry 
saying the user didn't exist, then an entry to deliver the NDR back to the 
(forged) sender.

If you use sendmail, you should (in theory) be able to grep for the SMTP id 
of an email in your mail log and see the whole process.




Regards,

Chris. 



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users